fix: pi settings sync

chore: eigent update
2026-04-15 11:38:25 +02:00
parent 25a44e79fa
commit a1b6950e93
9 changed files with 35 additions and 108 deletions
--- a/modules/nixos/pi-agent.nix
+++ b/modules/nixos/pi-agent.nix
@@ -154,6 +154,7 @@ with lib; let
          ${escapeShellArg cfg.stateDir} \
          ${escapeShellArg "${cfg.stateDir}/.pi"} \
          ${escapeShellArg "${cfg.stateDir}/.pi/agent"} \
+          ${escapeShellArg "${cfg.stateDir}/.pi/agent/sessions"} \
          ${escapeShellArg "${cfg.stateDir}/.project-mounts"} \
          ${escapeShellArg "${cfg.stateDir}/projects"} \
          ${escapeShellArg "${cfg.stateDir}/.npm"} \
@@ -174,7 +175,13 @@ with lib; let
      then "1"
      else "0"
    }" = "1" ] && [ -d "$source_dir" ]; then
-          ${pkgs.rsync}/bin/rsync -a --delete "$source_dir/" ${escapeShellArg "${cfg.stateDir}/.pi/agent/"}
+          ${pkgs.rsync}/bin/rsync -a --delete \
+            --exclude='auth.json' \
+            --exclude='mcp-oauth' \
+            --exclude='sessions' \
+            --exclude='bin' \
+            --exclude='mcp-cache.json' \
+            "$source_dir/" ${escapeShellArg "${cfg.stateDir}/.pi/agent/"}
          ${pkgs.coreutils}/bin/chown -R ${escapeShellArg "${cfg.user}:${cfg.group}"} ${escapeShellArg "${cfg.stateDir}/.pi/agent"}
        fi

@@ -346,7 +353,7 @@ with lib; let
          -p RestrictRealtime=yes
          -p RestrictNamespaces=yes
          -p MemoryDenyWriteExecute=no
-          -p UMask=0077
+          -p UMask=0007
          -p ReadWritePaths=${cfg.stateDir}
          -p EnvironmentFile=${cfg.stateDir}/.pi/.env
          -E HOME=${cfg.stateDir}
@@ -358,6 +365,10 @@ with lib; let
          -E PI_AGENT_INVOKING_USER="$invoking_user"
        )

+        ${optionalString (cfg.projectGroup != null) ''
+      cmd+=( -p SupplementaryGroups=${cfg.projectGroup} )
+    ''}
+
        # Only mark existing top-level paths inaccessible; systemd fails namespace
        # setup if InaccessiblePaths points to a non-existent path on this host.
        for p in /home /root /mnt /media /srv; do
@@ -596,6 +607,19 @@ in {
      description = "Extra packages added to isolated runtime PATH.";
    };

+    projectGroup = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = ''
+        When set, the pi-agent user is added to this group and the group is
+        passed as SupplementaryGroups to the systemd-run sandbox. This allows
+        pi-agent to write to project directories that grant group write access.
+        The user must ensure project directories have appropriate group ownership
+        and permissions (e.g. setgid + group write).
+      '';
+      example = "users";
+    };
+
    wrapper = {
      enable = mkOption {
        type = types.bool;
@@ -682,6 +706,7 @@ in {
      "${cfg.user}" = {
        isSystemUser = true;
        group = cfg.group;
+        extraGroups = mkIf (cfg.projectGroup != null) [cfg.projectGroup];
        description = "Isolated Pi agent user";
        home = cfg.stateDir;
        createHome = true;
@@ -693,6 +718,7 @@ in {
      "d ${cfg.stateDir} 0750 ${cfg.user} ${cfg.group} - -"
      "d ${cfg.stateDir}/.pi 0750 ${cfg.user} ${cfg.group} - -"
      "d ${cfg.stateDir}/.pi/agent 0750 ${cfg.user} ${cfg.group} - -"
+      "d ${cfg.stateDir}/.pi/agent/sessions 0750 ${cfg.user} ${cfg.group} - -"
      "d ${cfg.stateDir}/.project-mounts 0750 ${cfg.user} ${cfg.group} - -"
      "d ${cfg.stateDir}/projects 0750 ${cfg.user} ${cfg.group} - -"
      "d ${cfg.stateDir}/.npm 0750 ${cfg.user} ${cfg.group} - -"